VPN - Vrf-Aware Ipsec Cheat Sheet (Multisite Redundancy) Real World - Part2

VPN - VRF-aware ipsec cheat sheet
(MultiSite Redundancy) Real World - Part2

Hi Everybody.
I want to share my investigation of how can you configure a VPN for multi tenant and finish the VPN into a VRF
of you Customer in two site for redundancy with IP SLA.
If you are not familiarise with the VRF Aware Ipsec concept look this Topic it can help use to understand.
VRF-AWARE IPsec
You Can follow the phase one juste here (Phase1)
MultiSite Redundancy
HSRP & DHCP in VRF
You Can follow the phase two juste here (Phase3)
Cisco
VRF-Aware Ipsec Cisco
VRF-Aware Ipsec Cisco 2
VRF-Aware Ipsec Cisco PDF
Topic
2016 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.
Generated on 2016-04-23-07:00
1
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
VRF-Aware Ipsec Topic

VRF-Aware Ipsec Topic 2
Blog
IP-SLA
IP-SLA 2
IP-SLA 3
First Senario Two Customer is connected to a DC1 and DC2 VPN acsess for redundancy (Phase2)
Topology
The Goal of this Second phase is to simule two vpn client connection to two different DC to a single device.
These customer have the same block of IP int the locale and a remote site and need for this reason to made
VRF-Aware Ipsec.
!! Note the clients need to have two separate environnement !!
To bring up the magic in this case we need to benefited of IKE Profil with Keyring and VRF and also IP SLA
LAB (Phase2)
In this lab we are setup the two VPNs to the CX Routeur and KK Routeur I start the vpn from the from the
customer to CX after that I simulate a failure link and we can show the second link goes UP (I Hope).

Generated on 2016-04-23-07:00
2
The file of the three routeur are in the Zip file.

CX-ASR Configuration
CX-ASR Basic configuration
enable
!
Conf t
!
hostn CX-ASR
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
CX-ASR SSH configuration

crypto key gen rsa
!
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!

Generated on 2016-04-23-07:00
3
tran in ssh
!
CX-ASR VRF Outside configuration (FVRF)

ip vrf outside-vrf
!
description Outside WAN
!
CX-ASR VRF configuration (IVRF)

ip vrf cust1-vrf
!
description Customer 1 Vrf
!

Generated on 2016-04-23-07:00
4
CX-ASR VRF configuration (IVRF)

ip vrf cust2-vrf
!
!
CX-ASR WAN Interfaces configuration

inte fa0/0
!
ip vrf forw outside-vrf
!
ip add 85.147.160.1 255.255.255.240
!
no shut
!
descr WAN interface

Generated on 2016-04-23-07:00
5
CX-ASR Global Clients Interface configuration

inte g1/0
!
no shut
!
CX-ASR Cust1 Interfaces configuration

inte g1/0.10
!
ip vrf forw cust1-vrf
!
encapsulation dot1Q 1000
!

Generated on 2016-04-23-07:00
6
ip add 192.168.20.1 255.255.255.0

!
no shut
!
descr Lan interface Cust-1
!
CX-ASR Cust2 Interfaces configuration

inte g1/0.20
!
!
!
ip add 192.168.20.1 255.255.255.0
!
no shut
!
!

Generated on 2016-04-23-07:00
7
CX-ASR Kering configuration (For Cust1)

crypto keyring cust1-keyring vrf outside-vrf
!
pre-shared-key address 85.147.160.10 key cust-1
!
CX-ASR Kering configuration (For Cust2)

!
!

Generated on 2016-04-23-07:00
8
CX-ASR ISAKMP (IKE) Phase 1 configuration

crypto isakmp policy 100
!
encr 3des
!
authentication pre-share
!
group 2
!
lifetime 86400
!
CX-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust1)

crypto isakmp profile cust1-ike-prof
!
vrf cust1-vrf
!
keyring cust1-keyring
!
match identity address 85.147.160.10 255.255.255.240 outside-vrf
!

Generated on 2016-04-23-07:00
9
CX-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust2)

!
vrf cust2-vrf
!
!
!
CX-ASR IPsec Phase 2 configuration

crypto ipsec transform-set strong ah-sha-hmac esp-3des
!

Generated on 2016-04-23-07:00
10
CX-ASR Crypto Map Phase 2 configuration (For Cust1)

crypto map ipsec-maps 10 ipsec-isakmp
!
description ** Client 1 **
!
set peer 85.147.160.10
!
set transform-set strong
!
set isakmp-profile cust1-ike-prof
!
match address cust-1
!
CX-ASR Crypto Map Phase 2 configuration (For Cust2)

!
!
set peer 85.147.160.11
!
!
!
!

Generated on 2016-04-23-07:00
11
CX-ASR Apply to interface Crypto Map Phase 2 configuration

int fa0/0
!
crypto map ipsec-maps
!
CX-ASR ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-1
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!

Generated on 2016-04-23-07:00
12
CX-ASR ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
CX-ASR NAT Overload configuration (Wan Traffic)

ip nat inside source list 100 interface fastethernet0/0 overload
!

Generated on 2016-04-23-07:00
13
CX-ASR Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN
Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
100 permit ip 192.168.20.0 0.0.0.255 any
100 remark
CX-ASR Route for VRF Cust1 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust1-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!

Generated on 2016-04-23-07:00
14
CX-ASR Route for VRF Cust2 (Default Route) !! Note more Specific route can be set up !!
!
CX-ASR Save commande (Save Configuration) !! Don't Forget !!

copy run start
!

Generated on 2016-04-23-07:00
15
CX-ASR ToubleShooting
CX-ASR Show Commande (General view)
sho ip int b
!
sho run
!
CX-ASR Show Commande (For VPN)

sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
crypto isakmp key

crypto isakmp policy
crypto isakmp profile
crypto ipsec transform-set
crypto map
ip access-lists

Generated on 2016-04-23-07:00
16
CX-ASR Show Commande (For VRF)

sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
ip vrf
ip vrf outside-vrf
ip vrf cust1-vrf
ip vrf cust2-vrf
ip route vrf outside-vrf
ip route vrf cust1-vrf
CX-ASR Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
cry ipsec
cry isakmp
ip icmp
ip nat

Generated on 2016-04-23-07:00
17
KK-ASR Configuration
KK-ASR Basic configuration
enable
!
Conf t
!
hostn KK-ASR
!
no ip domain-lo
!
!
!

Generated on 2016-04-23-07:00
18
KK-ASR SSH configuration

crypto key gen rsa
!
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!
tran in ssh
!
KK-ASR VRF Outside configuration (FVRF)

ip vrf outside-vrf
!
description Outside WAN
!

Generated on 2016-04-23-07:00
19
KK-ASR VRF configuration (IVRF)

ip vrf cust1-vrf
!
!
KK-ASR VRF configuration (IVRF)

ip vrf cust2-vrf
!
!

Generated on 2016-04-23-07:00
20
KK-ASR WAN Interfaces configuration

inte fa0/0
!
ip vrf forw outside-vrf
!
ip add 104.57.98.1 255.255.255.240
!
no shut
!
descr WAN interface
!
KK-ASR Global Clients Interface configuration

inte g1/0
!
no shut
!

Generated on 2016-04-23-07:00
21
KK-ASR Cust1 Interfaces configuration

inte g1/0.10
!
!
!
ip add 192.168.20.1 255.255.255.0
!
no shut
!
!
KK-ASR Cust2 Interfaces configuration

inte g1/0.20
!
!
!
ip add 192.168.20.1 255.255.255.0
!

Generated on 2016-04-23-07:00
22
no shut
!
!
KK-ASR Kering configuration (For Cust1)

!
!
KK-ASR Kering configuration (For Cust2)

!

Generated on 2016-04-23-07:00
23
KK-ASR ISAKMP (IKE) Phase 1 configuration

!
encr 3des
!
!
group 2
!
lifetime 86400
!
KK-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust1)


Generated on 2016-04-23-07:00
24
!
vrf cust1-vrf
!
!
!
KK-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust2)

!
vrf cust2-vrf
!
!
!

Generated on 2016-04-23-07:00
25
KK-ASR IPsec Phase 2 configuration

!
KK-ASR Crypto Map Phase 2 configuration (For Cust1)

!
!
set peer 104.57.98.10
!
!
!
!

Generated on 2016-04-23-07:00
26
KK-ASR Crypto Map Phase 2 configuration (For Cust2)

!
!
set peer 104.57.98.11
!
!
!
!
KK-ASR Apply to interface Crypto Map Phase 2 configuration

int fa0/0
!
!

Generated on 2016-04-23-07:00
27
KK-ASR ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
KK-ASR ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!

Generated on 2016-04-23-07:00
28
CX-ASR NAT Overload configuration (Wan Traffic)

!
KK-ASR Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN
Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 permit ip 192.168.20.0 0.0.0.255 any
100 remark

Generated on 2016-04-23-07:00
29
KK-ASR Route for VRF Cust1 (Default Route) !! Note more Specific route can be set up !!
!
KK-ASR Route for VRF Cust2 (Default Route) !! Note more Specific route can be set up !!
!

Generated on 2016-04-23-07:00
30
KK-ASR Save commande (Save Configuration) !! Don't Forget !!

copy run start
!
KK-ASR ToubleShooting
KK-ASR Show Commande (General view)
sho ip int b
!
sho run
!
KK-ASR Show Commande (For VPN)

sho crypto isakmp key

Generated on 2016-04-23-07:00
31
!
sho
!
sho
!
sho
!
sho
!
sho
!

crypto isakmp profile
crypto map
ip access-lists
KK-ASR Show Commande (For VRF)

sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
sho
!
ip vrf
ip vrf outside-vrf
ip vrf cust1-vrf
ip vrf cust2-vrf
ip route vrf outside-vrf

Generated on 2016-04-23-07:00
32
KK-ASR Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
!
cry ipsec
cry isakmp
ip icmp
ip nat
Now we have finish with the two site the diffrence is made for now in the client customer site.
Cust1 Configuration
Cust1 Basic configuration
enable
!
Conf t
!
hostn Cust1
!

Generated on 2016-04-23-07:00
33
no ip domain-lo
!
!
!
Cust1 SSH configuration

crypto key gen rsa
!
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!
tran in ssh

Generated on 2016-04-23-07:00
34
Cust1 WAN Interfaces configuration

inte fa0/0
!
ip add 85.147.160.10 255.255.255.240
!
no shut
!
descr WAN interface
!
Cust1 WAN 2 Interfaces configuration (New)

inte fa3/0
!
ip address 104.57.98.10 255.255.255.240
!
no shut
!
descr WAN interface
!

Generated on 2016-04-23-07:00
35
We can use the sub interface for that and tagging the frame (optional)
Cust1 WAN 2 Interfaces configuration (Optional)
inte fa0/0.1
!
!
ip address 104.57.98.10 255.255.255.240
!
no shut
!
descr WAN interface
!
Cust1 Interfaces Lan configuration

inte g1/0
!
ip add 192.168.10.1 255.255.255.0
!
no shut
!
descr Lan interface
!

Generated on 2016-04-23-07:00
36
We are going to track the state of the distant site parameter of the node with the ping commande and if we
don't have a answer we can made a action for that in your case we add a route or delete the route depend on
the results.
Cust1 IP SLA for WAN Interfaces configuration
ip sla monitor 10
!
type echo protocol ipIcmpEcho 85.147.160.1 source-interface FastEthernet0/0
!
frequency 5
!
ip sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
Cust1 IP SLA for WAN 2 Interfaces configuration

ip sla monitor 20
!
!
frequency 5
!
!

Generated on 2016-04-23-07:00
37

!
Cust1 Pre-Share Key configuration for CX-ASR Site A

crypto isakmp key cust-1 address 85.147.160.1
!
Cust1 Pre-Share Key configuration for KK-ASR Site B

!

Generated on 2016-04-23-07:00
38
Cust1 ISAKMP (IKE) Phase 1 configuration

!
encr 3des
!
!
group 2
!
lifetime 86400
!
Cust1 IPsec Phase 2 configuration

!

Generated on 2016-04-23-07:00
39
Cust1 Crypto Map Phase 2 configuration For WAN Site A CX-ASR

!
!
set peer 85.147.160.1
!
!
!
Cust1 Crypto Map Phase 2 configuration For WAN 2 Site B KK-ASR

crypto map ipsec-maps-outside2 20 ipsec-isakmp
!
description ** Client 1 Site2 **
!
set peer 104.57.98.1
!
!
!

Generated on 2016-04-23-07:00
40
Cust1 Apply to interface Crypto Map Phase 2 configuration for WAN Site A CX-ASR
int fa0/0
!
!
Cust1 Apply to interface Crypto Map Phase 2 configuration for WAN 2 Site B KK-ASR
int fa3/0
!
crypto map ipsec-maps-outside2
!
Cust1 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic) We Use the same ACL
because is the same traffic but you can made two ACL if you Want
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Generated on 2016-04-23-07:00
41
Cust1 NAT Overload configuration (Wan Traffic) For WAN Site A CX-ASR
!
Cust1 NAT Overload configuration (Wan Traffic) For WAN 2 Site B KK-ASR
!

Generated on 2016-04-23-07:00
42
Cust1 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
Ise Used for WAN Site A CX-ASR
access-list
!
access-list
!
access-list
!
access-list
!
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark
Ise Used for WAN 2 Site B KK-ASR
!
access-list 150 remark -=[Define NAT Service]=!
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
access-list 150 remark
!

Generated on 2016-04-23-07:00
43
Cust1 Route (Default Route) for WAN Site A CX-ASR is Add with Track Object !! Note more Specific
route can be set up !!
ip route 192.168.20.0 255.255.255.0 85.147.160.1 track 1
!
Cust1 Route (Default Route) for WAN 2 Site B KK-ASR is Add with Track Object !! Note more Specific
ip route 192.168.20.0 255.255.255.0 104.57.98.1 254 track 2
!
Cust1 Save commande (Save Configuration) !! Don't Forget !!

copy run start
!

Generated on 2016-04-23-07:00
44
Cust1 ToubleShooting
Cust1 Show Commande (General view)
sho ip int b
!
sho run
!
Cust1 Show Commande (For VPN)

sho
!
sho
!
sho
!
sho
!
sho
!
crypto isakmp key

crypto map
ip access-lists

Generated on 2016-04-23-07:00
45
Cust1 Show Route Commande

sho ip route
!
Cust1 Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
!
cry ipsec
cry isakmp
ip icmp
ip nat

Generated on 2016-04-23-07:00
46
Cust2 Configuration
Cust2 Basic configuration
enable
!
Conf t
!
hostn Cust2
!
no ip domain-lo
!
!
!
Cust2 SSH configuration

crypto key gen rsa
!

Generated on 2016-04-23-07:00
47
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!
tran in ssh
Cust2 WAN Interfaces configuration

inte fa0/0
!
ip add 85.147.160.11 255.255.255.240
!
no shut
!
descr WAN interface
!

Generated on 2016-04-23-07:00
48
Cust2 WAN 2 Interfaces configuration (New)

inte fa3/0
!
ip address 104.57.98.11 255.255.255.240
!
no shut
!
descr WAN interface
!
We can use the sub interface for that and tagging the frame (optional)
Cust2 WAN 2 Interfaces configuration (Optional)
inte fa0/0.1
!
!
ip address 104.57.98.11 255.255.255.240
!
no shut
!
descr WAN interface
!

Generated on 2016-04-23-07:00
49
Cust2 Interfaces Lan configuration

inte g1/0
!
ip add 192.168.10.1 255.255.255.0
!
no shut
!
descr Lan interface
!
We are going to track the state of the distant site parameter of the node with the ping commande and if we
don't have a answer we can made a action for that in your case we add a route or delete the route depend on
the results.
Cust2 IP SLA for WAN Interfaces configuration
ip sla monitor 10
!
!
frequency 5
!
!
!

Generated on 2016-04-23-07:00
50
Cust2 IP SLA for WAN 2 Interfaces configuration

ip sla monitor 20
!
!
frequency 5
!
!
!
Cust2 Pre-Share Key configuration

!
Cust2 Pre-Share Key configuration for KK-ASR Site B

!

Generated on 2016-04-23-07:00
51
Cust2 ISAKMP (IKE) Phase 1 configuration

!
encr 3des
!
!
group 2
!
lifetime 86400
!
Cust2 IPsec Phase 2 configuration

!

Generated on 2016-04-23-07:00
52
Cust2 Crypto Map Phase 2 configuration

!
!
set peer 85.147.160.1
!
!
!
Cust2 Crypto Map Phase 2 configuration For WAN 2 Site B KK-ASR

crypto map ipsec-maps-outside2 20 ipsec-isakmp
!
description ** Client 1 Site2 **
!
set peer 104.57.98.1
!
!
!

Generated on 2016-04-23-07:00
53
Cust2 Apply to interface Crypto Map Phase 2 configuration

int fa0/0
!
!
Cust2 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!

Generated on 2016-04-23-07:00
54
Cust2 Apply to interface Crypto Map Phase 2 configuration for WAN 2 Site B KK-ASR
int fa3/0
!
crypto map ipsec-maps-outside2
!
Cust2 ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic) We Use the same ACL
because is the same traffic but you can made two ACL if you Want
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
Cust2 NAT Overload configuration (Wan Traffic)

!

Generated on 2016-04-23-07:00
55
Cust2 NAT Overload configuration (Wan Traffic) For WAN 2 Site B KK-ASR
!
access-list
!
access-list
!
access-list
!
access-list
!
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark

Generated on 2016-04-23-07:00
56
Ise Used for WAN 2 Site B KK-ASR
!
access-list 150 remark -=[Define NAT Service]=!
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
access-list 150 remark
!
Cust2 Route (Default Route) for WAN Site A CX-ASR is Add with Track Object !! Note more Specific
ip route 192.168.20.0 255.255.255.0 85.147.160.1 track 1
!
Cust2 Route (Default Route) for WAN 2 Site B KK-ASR is Add with Track Object !! Note more Specific
ip route 192.168.20.0 255.255.255.0 104.57.98.1 254 track 2
!

Generated on 2016-04-23-07:00
57
Cust2 Save commande (Save Configuration) !! Don't Forget !!

copy run start
!
Cust2 ToubleShooting
Cust2 Show Commande (General view)
sho ip int b
!
sho run
!

Generated on 2016-04-23-07:00
58
Cust2 Show Commande (For VPN)

sho
!
sho
!
sho
!
sho
!
sho
!
crypto isakmp key

crypto map
ip access-lists
Cust2 Show Route Commande

sho ip route
!

Generated on 2016-04-23-07:00
59
Cust2 Debug Commande (For VPN)

debug
!
debug
!
debug
!
debug
!
cry ipsec
cry isakmp
ip icmp
ip nat
Test Connectivity (Initiator is CX-ASR)

You can See the Crypto session and the two VPNs is down Now.

Generated on 2016-04-23-07:00
60
show crypto map
I initiate the connectivity from Cust1 to the CX-ASR Router Is the Primary Site whith the Wan Link 1 you can
show and the screen the two VPNs is down in the beginning
ping 192.168.20.1 source 192.168.10.1

Generated on 2016-04-23-07:00
61
Now you can see the ICMP reply from CX-ASR and the VPNs status is UP for Cust1
sho crypto map

Generated on 2016-04-23-07:00
62
Now if you go in the Route table of Cust1 you can see the route is the CX-ASR for reach the subnet
192.168.20.0/24
Now I'm going to simule a failure in the CX-ASR routeur and I'm going to Ping in continue ans see what
happened to traffic.
interface Fastethernet 0/0

!
shutdown
!

Generated on 2016-04-23-07:00
63
See the output to the Ping in continue.
Here you are we have now in the first ping in Site A number 1 you can see the first packet is drop du to the
ARP Table and the VPN is Down for CX-ASR
After that the VPN goes UP and you can see the ping is respond and when I shutdown the Link of The Site A
the you have a small delay.
This delay is the time I have configured the IP SLA Traking and the insertion in routing table of the new IP and
the delay of the VPN and the first ARP.
After that the Subnet is still Responding but not in the same Site because now if I show you the screen of the
new IP route the route is changed and the weigh is 254.

Generated on 2016-04-23-07:00
64
Now if i see the Crypto session the two VPNs is UP and if i switch.
Enjoy Now is Finished for this real VPNs redundancy Topic

In The next phase 3 I'm going to add HSRP for redundancy in the both DC and Customer will have one
gateway in the personal VRF forwarding using and in the Phase 4 I'm going to made some changement to the
VPN to add Tunnel interface for allowing a dynamic Routage like OSPF.
@ By Djebbouri Faial

Generated on 2016-04-23-07:00
65

Generated on 2016-04-23-07:00
66

VPN - Vrf-Aware Ipsec Cheat Sheet (Multisite Redundancy) Real World - Part2

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

VPN - Vrf-Aware Ipsec Cheat Sheet (Multisite Redundancy) Real World - Part2

Hochgeladen von

Copyright:

Verfügbare Formate

VPN - VRF-aware ipsec cheat sheet

(MultiSite Redundancy) Real World - Part2

2016 Cisco and/or its affiliates. All Rights Reserved.

VRF-Aware Ipsec Topic

2016 Cisco and/or its affiliates. All Rights Reserved.

The file of the three routeur are in the Zip file.

CX-ASR SSH configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR VRF Outside configuration (FVRF)

CX-ASR VRF configuration (IVRF)

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR VRF configuration (IVRF)

CX-ASR WAN Interfaces configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Global Clients Interface configuration

CX-ASR Cust1 Interfaces configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

ip add 192.168.20.1 255.255.255.0

CX-ASR Cust2 Interfaces configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Kering configuration (For Cust1)

CX-ASR Kering configuration (For Cust2)

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR ISAKMP (IKE) Phase 1 configuration

CX-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust1)

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust2)

CX-ASR IPsec Phase 2 configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Crypto Map Phase 2 configuration (For Cust1)

CX-ASR Crypto Map Phase 2 configuration (For Cust2)

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Apply to interface Crypto Map Phase 2 configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR NAT Overload configuration (Wan Traffic)

2016 Cisco and/or its affiliates. All Rights Reserved.

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Save commande (Save Configuration) !! Don't Forget !!

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Show Commande (For VPN)

crypto isakmp key

2016 Cisco and/or its affiliates. All Rights Reserved.

CX-ASR Show Commande (For VRF)

CX-ASR Debug Commande (For VPN)

2016 Cisco and/or its affiliates. All Rights Reserved.

2016 Cisco and/or its affiliates. All Rights Reserved.

KK-ASR SSH configuration

KK-ASR VRF Outside configuration (FVRF)

2016 Cisco and/or its affiliates. All Rights Reserved.

KK-ASR VRF configuration (IVRF)

KK-ASR VRF configuration (IVRF)

2016 Cisco and/or its affiliates. All Rights Reserved.

KK-ASR WAN Interfaces configuration

KK-ASR Global Clients Interface configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

KK-ASR Cust1 Interfaces configuration

KK-ASR Cust2 Interfaces configuration

2016 Cisco and/or its affiliates. All Rights Reserved.

KK-ASR Kering configuration (For Cust1)

KK-ASR Kering configuration (For Cust2)

2016 Cisco and/or its affiliates. All Rights Reserved.

KK-ASR ISAKMP (IKE) Phase 1 configuration

KK-ASR Profile ISAKMP (IKE) Phase 1 configuration (For Cust1)